Security Bulletin
Summary
There is vulnerability in Apache Commons BeanUtils used by IBM Spectrum LSF Suite and Spectrum LSF Application Center.
Vulnerability Details
CVEID: CVE-2019-10086
DESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
DESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
Spectrum LSF Suite 10.2, Spectrum LSF Application Center 10.2
Remediation/Fixes
| Product | VRMF | APAR | Remediation/First Fix |
|
Spectrum LSF Suite
Spectrum LSF Application Center
|
10.2 | None |
1. Download Apache Commons BeanUtils v1.9.4 from: http://commons.apache.org/proper/commons-beanutils/download_beanutils.cgi. (The following steps use x86_64 as an example.)
2. Copy the package into the Application Center host. 3. On the Application Center host, stop pmc and plc services. 4. On the Application Center host, extract new files and replace old files with commons-beanutils-1.9.4.jar in the following directories: $PERF_TOP/1.2/lib/commons-beanutils.jar
$GUI_TOP/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-beanutils-1.9.2.jar
5. Delete all files under $GUI_TOP/work/platform/workarea.
6. On the Application Center host, start plc and pmc services on demand. |
Workarounds and Mitigations
N/A
Get Notified about Future Security Bulletins
References
Off
Change History
Sep 10, 2019: Original version
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZRJV","label":"IBM Spectrum LSF Application Center"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZUDP","label":"IBM Spectrum LSF Suite for HPC"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZU9Q","label":"IBM Spectrum LSF Suite for Workgroups"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
27 September 2019
UID
ibm11073222